Migrating from Lighttpd : mod_secdownload show-stopper ?

Francis Daly francis at daoine.org
Wed Feb 23 12:44:12 MSK 2011


On Tue, Feb 22, 2011 at 12:20:20PM +0000, Francis Daly wrote:
> On Tue, Feb 22, 2011 at 05:03:00AM -0500, thoseg wrote:

Hi there,

> > I have some (strong) requirements like to not modify the application
> > code

> > Secured link :
> > http://secure.domain.com/get/24b9cb61c9c2c9070038aceaaf7bae5a/4d63842e/2/H264-384x288/04/85/3120485.h264

> To use the vanilla nginx http_secure_link_module, your old links will
> be broken, and you'll have to change the application's code.

As was suggested earlier in the thread, you *could* preserve the lighttpd
interface by scripting, while waiting for / working on a mod_secdownload
equivalent in nginx.

One (rushed) version in php is included below. Do read it carefully and
check for unexpected results (do you know what happens when the string
given to hexdec() is rather long?) before testing whether the system
performance is adequate in your proposed new environment.

The nginx.conf section is something like

===
        location /get/ {
            location ~ /get/[0-9a-f]+/[0-9a-f]+/ {
                fastcgi_pass  unix:php.sock;
                include fastcgi.conf;
                fastcgi_param  SCRIPT_FILENAME /mnt/medias/secure_get;
            }
            location /get/secured/ {
                internal;
                alias /mnt/medias/;
            }
            return 404;
        }
===

(spot the bits you need to change)

and the secure_get script is similar to

===
<?php
# migrate from lighttpd/mod_secdownload
# I care about parts 2, 3, and remains of REQUEST_URI.
# $_SERVER['REQUEST_URI'] = '/get/md5sum_hex/expires_hex/dir/and/file/name.ext

# This is the secret used to generate the link in the first place
$secret = "secret";

list( $x, $x, $hash, $time, $file ) = explode( '/', $_SERVER['REQUEST_URI'], 5 );
$file = '/' . $file;
$check = md5("${file}.${time}.${secret}");
$expires = hexdec($time);

if ($check != $hash) {
  # hash is wrong
  header("HTTP/1.0 403 Forbidden");
  # add your preferred html body here
} elseif ($expires < $_SERVER['REQUEST_TIME']) {
  # hash is right, but time is past
  header("HTTP/1.0 410 Gone");
  # add your preferred html body here
} else {
  # hash is right and time is ok
  header("X-Accel-Redirect: /get/secured${file}");
}
?>
===

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org



More information about the nginx mailing list